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Abstract. Bergman's Ring E p , parameterized by a prime number p, is a ring with p 5 
' elements that cannot be embedded in a ring of matrices over any commutative ring. This 

ring was discovered in 1974. In 2011, Climcnt, Navarro and Tortosa described an efficient 
implementation of E p using simple modular arithmetic, and suggested that this ring may 
be a useful source for intractable cryptographic problems. 

We present a deterministic polynomial time reduction of the Discrete Logarithm Problem 
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, in E p to the classical Discrete Logarithm Problem in Z p , the p-element field. In particular, 

the Discrete Logarithm Problem in E p can be solved, by conventional computers, in sub- 
exponential time. 
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1. INTRODUCTION 

For Discrete Logarithm based cryptography, it is desirable to find efficiently implement able 
. groups for which sub-exponential algorithms for the Discrete Logarithm Problem are not 
available. Thus far, the only candidates for such groups seem to be (carefully chosen) groups 
of points on elliptic curves [SI [7J. Groups of invertible matrices over a finite field, proposed 
in [5], where proved by Menezes and Wu [B] inadequate for this purpose. Consequently, 
any candidate for a platform group for Discrete Logarithm based cryptography must not be 
^ \ efficiently embeddable in a group of matrices. 

In 1974, Bergman proved that the ring End(Z p x Z p 2) of endomorphisms of the group 
Z p x Z p 2, where p is a prime parameter, admits no embedding in any ring of matrices over 
a commutative ring pp. In 2011, Climent, Navarro and Tortosa [3] described an efficient 
implementation of E p (reviewed below), proved that uniformly random elements of E p are 
invertible with probability greater than 1 — 2/p, and supplied an efficient way to sample the 
invertible elements of E p uniformly at random. Consequently, they proposed this ring as a 
potential source for intractable cryptographic problems. Climent et al. proposed a Diffie- 
Hellman type key exchange protocol over E p , but it was shown by Kamal and Youssef [I] 
not to be related to the Discrete Logarithm Problem, and to be susceptible to a polynomial 
time attack. 

We consider the Discrete Logarithm Problem in E p . Since E p admits no embedding in any 
ring of matrices over a commutative ring, the Menezes- Wu reduction attack j6] is not directly 
applicable. We present, however, a deterministic polynomial time reduction of the Discrete 
Logarithm Problem in E p to the classical Discrete Logarithm Problem in Z p , the p-element 
field. In particular, the Discrete Logarithm Problem in E p can be solved by conventional 
computers in sub-exponential time, and E p offers no advantage, over Z p , for cryptography 
based on the Discrete Logarithm Problem. 
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2. Computing discrete logarithms in End(Z p x Z p 2) 

Climent, Navarro and Tortosa [3] provide the following faithful representation of Bergman's 
Ring. The elements of E p are the matrices 



Addition (respectively, multiplication) is defined by first taking ordinary addition (respec- 
tively, multiplication) over the integers, and then reducing each element of the first row 
modulo p, and each element of the second row modulo p 2 . The ordinary zero and identity 
integer matrices serve as the additive and multiplicative neutral elements of E p , respectively. 
The element g is invertible in E p if and only if a, v ^ 0. 

The group of invertible elements in a ring R is denoted R*. For an element g in a group, 
\g\ denotes the order of g in that group. 

Definition 1. The Discrete Logarithm Problem in a ring R is to find x given an element 
g G R* and its power g x , where x G {0, 1, . . . , \g\ — 1}. 

Another version of the Discrete Logarithm Problem asks to find any x such that g x = g x . 
The reductions given below are applicable, with minor changes, to this version as well, but 
it is known the two versions are essentially equivalent (see Appendix iBl). 

By the standard amplification techniques, one can increase the success probability of any 
discrete logarithm algorithm with non-negligible success probability to become arbitrarily 
close to 1. Thus, for simplicity, we may restrict attention to algorithms that never fail. 
For ease of digestion, we present our solution to the Discrete Logarithm Problem in E p by 
starting with the easier cases, and gradually building up. Not all of the easier reductions 
are needed for the main ones, but they do contain some of the important ingredients of the 
main ones, and may also be of independent interest to some readers. 

2.1. Basic reductions. 

Reduction 2. Computing the order of an element in R* , using discrete logarithms in R. 



Reduction 3. Computing discrete logarithms in a product of rings using discrete logarithms 
in each ring separately. 

Details. For rings R, S, (R x S)* = R* x S*. Let (g, h) G R* x S* and (g, h) x = (g x ,h x ), 
where x G {1, . . . , \ (g, h)\}, be given. Compute 

£mod|£f| = \og g (g x ); 

x mod \h\ = \og h (h x ). 

Use Reduction [2] to compute \g\ and \h\. Compute, using the Chinese Remainder Algorithm, 

x mod lcm(|g|, \h\) = x mod |(g, h)\ = x. □ 

The Euler isomorphism is the function 




Details. For g G R* , g~ x = g^' 1 . Thus, \g\ = log^ 1 ) + 1. 



□ 



$ p : (Zp,+) x (z;,o 

(a,b) 
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The function $ p is easily seen to be an injective homomorphism between groups of equal 
cardinality, and thus an isomorphism of groups (cf. Paillier j9] in a slightly more involved 
context). The Euler isomorphism can be inverted efficiently: Given c G Z* 2 , let a G Z p , ieZ* 
be such that c = (1 + ap)b p mod p 2 . Then 

c = (1 + ap) ■ W = 1 • b p = b (mod p). 

Compute b = c mod p, then W mod p 2 , then 1 + ap = c ■ mod p 2 , where the inverse 

is in Z* 2 . Since 1 + ap < p 2 , we can subtract 1 and divide by p to get a. 



Reduction 4. Computing discrete logarithms in Z„2 using discrete logarithms in Z 



v 



Details. Use the Euler isomorphism to transform the problem into a computation of a discrete 
logarithm in (Z p , +) x (Z*, •). Computing discrete logarithm in (Z p , +) is trivial. Apply 
Reduction [3J □ 

2.2. Algebraic lemmata. 

Definition 5. E p is the ring of matrices , a, b, c, v G {0, 1, ... ,p — l}, where addition 

and multiplication are carried out over Z, and then entry (2, 1) is reduced modulo p 2 , and 
the other three entries are reduced modulo p. 

Lemma 6. The map 





E p 


— >• 






( a 






( a 






b ) 


1 — y 






\cp 


v + upl 




\cp 





is a ring homomorphism. 

Proof. Since addition is component- wise, it remains to verify multiplicativity. Indeed, in E p , 

a x b x \ ( a 2 b 2 \ _ / ai<2 2 ai& 2 + M2 

cip Ui + Uip J \c 2 p v 2 + u 2 p ) I (cia 2 + u ic 2 )p Vii> 2 + (cib 2 + u i« 2 + uiv 2 )p 



and in E'p, 

ai bi\ ( a 2 b 2 \ _ ( a x a 2 a x b 2 + b\v 2 

cip vi) \c 2 p v 2 ) ~ I (c x a 2 + vic 2 )p v x v 2 



□ 



(2 

Lemma 7. Lei (7 = { ^ } G -E 1 *, and iei x be a natural number. Define d x G Z p 6?/ 



T/ien 



a—v 



xa x 1 a = v. 



1 & x bd x 
® \cd x p v x 
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Proof. By induction on x. The statement is immediate when x — 1. Induction step: If 
a ^ v, then in Z p , 

a + 4f = a H i; = — — = = d x+1 ; 

a — v a — v a — v 

a(a x — v x ) (a — v)v x a x+1 — v x+1 

ad x + v x = — - + - — = = 

a — v a — v a — v 

If a = v, then 

a x + d x v = a x + xa x ~ 1 v = a x + xa x ~ l a = a x + xa x — (x + l)a x = d x+1 ; 
ad x + v x = xa x + a x = (x + l)a x = d x+1 . 

Thus, in either case, 

-x+i = -x - = f a x bd x \ fa b\ _ / a x+1 b{a x + d x v)\ = ( a x+1 bd x+1 
9 9 9 \cd x p v x J \cp v J l c(ad x + v x )p v x+1 J \cd x+ ip v x+1 



□ 



Lemma 8. Let q = ( ] E E* 

\cp vj p 

(1) If a = v and at least one of b, c is nonzero, then \g\ = p ■ \a\ 

(2) In all other cases (a ^ v or b = c = 0), \g\ = lcm(|a|, \v\). 

Proof. Define d x as in Lemma [71 By Lemma [TJ 

a lSl * \ _|g| (\ 



Thus, \a\ and \v\ divide \g\, and therefore so does lcm(|a|, \v\). 
We consider all possible cases. 
If b = c = 0, then 

_ x _ fa x 
9 ~ \0 v x 

for all x, and thus \g\ = lcm(|a|, \v\), as claimed in (2). 

Assume, henceforth, that at least one of b, c is nonzero, and let 

/ = lcm(|a|, \v\). 

If a 7^ v, then 

a 1 - v l 1-1 

di = = = mod p, 

a — v a — v 

and thus, by Lemma [7J g l = I. Thus, \g\ divides /, which we have seen to divide \g\. It 
follows that \g\ = I, as claimed in (2). 
Assume, henceforth, that a = v. 

Since d p = pa p ~ l = mod p, we have by Lemma [7J that 

9 P 



(a? 




1 a 







a p 




a 1 
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It follows that g p '' a ' = /. Therefore, \g\ divides p • \a\. Recall that \a\ divides \g\. Now, 
d\ a \ = \cl\ ■ a' a ' _1 mod p. Since \a\ < p, d\ a \ 7^ 0. It follows that 



a , _ / al°l bd la \\ , (\ 



and thus |g| = p ■ \a\, as claimed in (1). □ 
2.3. The main reductions. 

Reduction 9. Computing discrete logarithms in E p using discrete logarithms in Z p . 
Details. Let g = \ ] £ E*, and let x G {1, . . . , |g|}. By Lemma [7J 

yep fy 

a x bd x 
cd x p v x 

If a 7^ u or 6 = c = 0, then by LemmaEl |g| = lcm(|a|, Compute 

x mod |a| = \og a (a x ); 

x mod |u| = log v (v x ). 

Since x < |^|, we can use the Chinese Remainder Algorithm to compute x mod lcm(|a|, \v\) = 
x. 

Thus, assume that a = v and one of b, c is nonzero. By Lemma [H \g\ — p • \a\. Compute 

x := x mod \a\ = log a (a x ). 



If 



d bd x — xo \ / 1 bd x — XQ 



Compute 

9-9-9 - , , „ 

ca x — Xo p a j \cct x — Xo p 

Since b or c is nonzero, we can extract d x - Xo mod p. Compute 

d x - Xo ■ a — (x — xo)a x ~ x ° = x — xq mod p. 
As x — Xq < x < \g\ = p ■ \a\, we can use the Chinese Remainder Algorithm to compute 

x — Xq mod lcm(p, \a\) = x — Xq mod p ■ \a\ = x — Xq. 
Add xq to obtain x. □ 
Reduction 10. Computing discrete logarithms in E p using discrete logarithms in Z p . 

Details. Let q = ( ° & ] eE* and let x e {1, . . . , lol}. Take 0=1° ] G £*. Use 

yep v + upj p ' L ' ' iaiJ 3 yep u y p 

Lemma Eland Reduction [2] to compute \g\. By Lemma EJ |g| divides \g\. As = I is the 
image of g^ under the homomorphism of Lemma we have that 

'\ 
1 + sp / 

for some s G {0, . . . , p — 1}. Using Reduction [9], compute 

:= logg((? x ) = x mod 



,1.1 
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If s = then \g\ = \g\, and thus xo := log s (g x ) = \og g (g x ) = x, and we are done. If s ^ 0, 
let q = (x — Xo)/\g\. Since the order of 1 + sp in Z p 2 is p (in Z p 2, (1 + sp) e = 1 + esp for all 
e), the order of g^ is p, and thus \g\ = \g\ ■ p. Thus, q < x/\g\ < \g\/\g\ = P- Compute 

a x-xo = a x-x = ( \g\ )q = A V = A \ A \ 

y y y iy j " ^0 1 + spj " ^0 (1 + spf ) \0 1 + sqp) ' 

Compute sgmodp = ((1 + sgp) — l)/p. In Z p , multiply by s" 1 to obtain g mod p = q. 
Multiply by \g\ to get x — xq, and add xq- □ 

3. Summing up: Code 

Following is a self-explanatory code (in Magma [2]) of our main reductions. This code 
shows, in a concise manner, that the number of computations of discrete logarithms in Z p 
needed to compute discrete logarithms in Bergman's Ring E p is at most 2. For completeness, 
we provide, in Appendix [A] the basic routines. 

F := GaloisField(p) ; 
Z := IntegerRingO ; 

I := ScalarMatrix(2 , 1); //identity matrix 

function EpBarOrder (g) //Lemma 9 
a := F ! (g[l , 1] ) ; 
v := F! (g[2,2] ) ; 

if (a ne v) or (IsZero(g[l,2] ) and IsZero(g[2, 1] ) ) then 
order := Lcm(0rder(a) ,0rder(v)) ; 

else 

order := p*0rder(a); 
end if ; 
return order; 
end function; 

function EpBarLog(g,h) //Reduction 10 
a := F!(g[l,l]); 
b := F! (g[l,2]) ; 
c := F ! (g[2 , 1] div p) ; 
v := F! (g[2,2] ) ; 
xO := Log(a,F! (h[l,l])); 

if (a ne v) or (IsZero(b) and IsZero(c)) then 
xv := LogCv.F! (h[2,2])); 

x := ChineseRemainderTheorem( [x0,xv] , [Order (a) , Order (v)] ) ; 

else 

ginv := EpBarlnverse(g) ; 
f := EpBarPower(ginv,xO) ; 
f := EpBarProd(h,f ) ; 
if IsZero(c) then 

d := b~-l * F!(f [1,2]); 
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else 

d := c"-l * F! (f [2,1] div p) ; 
end if ; 

delta := Z! (d*a) ; 

truedelta := ChineseRemainderTheorem( [0, delta] , [Order(a) ,p]) ; 

x := truedelta+xO; 
end if ; 
return x; 
end function; 

function EpLog(g,h) //Reduction 11 
gbar := Bar(g); hbar := Bar(h); 
gbarorder := EpBarOrder (gbar) ; 
xO := EpBarLog (gbar , hbar) ; 

f := EpPower(g, gbarorder) ; 
s := (f [2,2] -1) div p; 

if IsZero(s) then 
x := xO; 

else 

ginv := Eplnverse (g) ; 

f := EpPower (ginv,xO) ; 

f := EpProd(h,f) ; 

n := (f [2,2]-l) div p; 

q := (F!s)~-l*F!n; 

x := gbarorder* (Z ! q)+x0; 
end if ; 
return x; 
end function; 

We have tested these routines extensively: For random primes of size 4, 8, 16, 32, 64, and 
128 bits, and thousands of random pairs g,h = g x , EpLog(g,h) always returned x. 
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Appendix A. Elementary routines 

To remove any potential ambiguity, and help readers interested in reproducing our exper- 
iments, we provide here the basic routines for arithmetic in Bergman's Ring E p . 

function EpProd(A, B) //integer matrices 

C := A*B; 

C[l,l] mod:= p; 

C[l,2] mod:= p; 

C[2,l] mod:= p~2; 

C[2,2] mod:= p~2; 

return C; 
end function; 



function Bar(g) 
h := g; 

h[2,2] mod:= p; 
return h; 
end function; 



function EpBarProd(A, B) //integer matrices 

return Bar (EpProd(A,B) ) ; 
end function; 



function EpInvertibleEpMatrixO 

g := ZeroMatrix(Z, 2, 2); 

g[l,l] := Random([l. .p-1]); 

g[l,2] := Random( [0. .p-1] ) ; 

g[2,l] := p*Random( [0. .p-1] ) ; 

g[2,2] := Random([l. .p-1] )+p*Random( [1 . .p-1]) ; 

return g; 
end function; 

function EpPower(g, n) //square and multiply 
result := I; 
while not IsZero(n) do 

if ((n mod 2) eq 1) then 

result := EpProd(result , g) ; 
n -:= 1; 
end if ; 

g := EpProd(g, g) ; 
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n div:= 2; 
end while; 
return result; 
end function; 

function EpBarPower (g, n) 

return Bar (EpPower(g, n)); 
end function; 

function Eplnverse(g) 



a 


:= F 


CgCi.i]); 


b 


:= F 


(g[l,2]); 


c 


:= F 


(g[2,l] div p); 


u 


:= F 


(g[2,2] div p); 


V 


:= F 


(g[2,2]); 



ginv := ZeroMatrix(Z ,2,2) ; 
ginv[l,l] := Z! (a~-l) ; 
ginv [1,2] := Z! (-a"-l*b*v"-l) ; 
ginv [2,1] := p*Z! (-v~-l*c*a"-l) ; 
ginv[2,2] := Z! (v"-l)+ 

p*Z! (c*a"-l*b*v~-2-u*v~-2-(F! (Z!v*Z! (v"-l) div p)*v"-l)); 
return ginv; 
end function; 

function EpBarlnverse(g) 

return Bar(EpInverse(g)) ; 
end function; 



Appendix B. Equivalence of Discrete Logarithm Problems 

The result in this appendix should be well known to experts, but since we are not aware 
of any reference for it, we include it for completeness. Consider the following two versions 
of the Discrete Logarithm Problem in a prescribed finite group G. We assume that \G\, or 
a polynomial upper bound K on \G\, is known. We do not assume that G is cyclic. 

DLP1: Find x, given an element g G G and its power g x , where x G {0, 1, . . . , |gf| — 1}. 
DLP2: Given an element g G G and its power g x , find x with g x = g x . 

DLP1 is harder than DLP2: A DLP1 oracle returns x := a; mod \g\ on input g,g x . On 
the other hand, DLP2 is probabilistically harder than DLP1: It suffices to show how \g\ can 
be computed using a DLP2 oracle. Indeed, for a large enough (but polynomial) number of 
random elements r G {K, K+ 1, . . . , M } where M 3> K is fixed, let f be the output of DLP2 
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on (g,g r ). Then \g\ divides all numbers (r — r) mod g, and the greatest common divisor of 
these numbers is \g\, except for a negligible probability. 

Department of Mathematics, Bar-Ilan University, Ramat Gan 52900, Israel 
E-mail address: baninmmm@gmail.com, tsaban@math.biu.ac.il 
URL: http : //www. cs .biu . ac . il/~tsaban 



